PAR validator
1. Additional validation of PAR requests
The PAR endpoint of the Connect2id server
authenticates the client (if confidential) and performs all standard checks on
the pushed authorisation request, such as ensuring the overall validity of the
request and that the client is registered for the requested response_type
. If
the client submitted a JWT-secured request (JAR), it will be validated and
unwrapped.
A Java Service Provider Interface (SPI) is made available for carrying out additional checks on the pushed authorisation request, after the Connect2id server has completed the standard validation. You can use it to plug in your own custom rules for additional validation.
The SPI is available since v8.0.
2. PAR validator SPI
To plug in your own custom checks implement the PARValidator SPI defined in the Connect2id server toolkit:
https://bitbucket.org/connect2id/server-sdk
Features of the PAR validator SPI:
- Carry out additional validation of the pushed authorisation request.
- Provides access to the registered information for the client.
- If the request is rejected allows setting of an HTTP status code, error code and message.
3. Example
Sample PAR validator to check if the submitted authorisation request scope values are present in the OAuth 2.0 client registration.
import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.provider.spi.par.*;
public class ScopeValidator implements PARValidator {
@Override
public void validate(final AuthorizationRequest authzRequest,
final ValidatorContext validatorCtx)
throws GeneralException {
OIDCClientInformation clientInfo = validatorCtx.getOIDCClientInformation();
if (clientInfo.getMetadata().getScope() == null || ! clientInfo.getMetadata().getScope().containsAll(authzRequest.getScope())) {
Scope unacceptedScope = new Scope(authzRequest.getScope());
unacceptedScope.removeAll(clientInfo.getMetadata().getScope());
String msg = "Scope not accepted: " + unacceptedScope;
throw new GeneralException(
msg, // will be logged by the Connect2id server
OAuth2Error
.INVALID_SCOPE
.setHTTPStatusCode(400)
.setDescription(msg));
}
}
}
4. Support
Our Connect2id support team is available if you need help with integrating a custom PAR validator.